But this signed integer is never checked against the constant ‘gdMaxColors’ and allows the user to request more than 256 colors. This would result in a buffer overflow during the last ‘for’ loop of _gdGetColors() routine.
Of course, this was patched like this:

2 Responses

not sure if this is still accurate, but from my old notes I had 6 entrypoints for this bug:
– gdImageCreateFromGd
– gdImageCreateFromGdPtr
– gdImageCreateFromGd2
– gdImageCreateFromGd2Ptr
– gdImageCreateFromGd2Part
– gdImageCreateFromGd2PartPtr